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IAVA  Background 


DOD  has  mandated  that  all  C/S/A  develop  a 
methodology  for  ensuring: 

-  Vulnerability  alert  notifications  are  received  by  System 
Administrators 

-  Vulnerabilities  are  corrected  within  30  days 

-  Periodic/Random  validation  of  system  status 
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Vulnerability  Compliance  Tracking  System 

•  Provide  the  ability  to  quickly  notify  and  receive 
acknowledgement  from  subordinates  of  an  IAVA 

•  Assess  the  impact  of  a  vulnerability  on  the 
infrastructure 


•  Monitor  status  and  closure  of  vulnerabilities 


•  Provide  reporting  to  DoD  of  compliance 
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Vulnerability  Compliance  Tracking  System 


Alert 

Notice 


Verify 

Receipt 


Log  Status 
Updates, 
Request  Waiver 

SA 
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VCTS 
Web  Page 


Report 

DISA 


Compliance 


Capabilities  for 
**  System  Registration 
**  System  Administrator  Updates 
and  Permissions 
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Organization  Reporting  Capability 
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.  Netscape  4.05  or 


.  IE  4.0 


VCTS  Security  Features 


PKI  Server  Certificate 


-  Data 


•IP  Filtering 


.  NTFS  Permissions 


•  SQL  Server  Permissions 
.  Encrypted  Data 
.  Daily  Backups 
.  Monitoring  6 
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Other  Agency  Use  of  VCTS 


•  Host  on  platform  with  DISA 

-  Data  segregated  with  strict  access  control 
—  Costs  to  be  negotiated 

•  Poc 

-  Danette  Wile 
-717-267-9933 

-  wiled@ritchie.disa.m!l 
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BACKGROUND 


IAVA-VCTS 


VCTS  Capabilities 


•  Reporting/Oversight  by  ISSMs  and  Xos 

•  Update  of  S A/User  information 

•  Registration/Update  of  Systems 

•  Delegation  of  browse  &  update  to  other  S  As 

•  Automatic  feed  to  IAVA  of  DISA’s  posture 
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Vulnerability  Compliance  Tracking 
_ System  (VCTS)  Capabilities 

.  Notification  of  alert  to  registered  users  based  on 
function 

.  Acknowledgement  of  receipt  by  system 
.  Process  for  requesting  waivers 
.  Tracking  of  closure/posture  of  vulnerabilities 
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VCTS  Registration  Process 


DISA 

w 

Form 

41 

FAX 

RSA  Chamber sburg 

Create  User’s  NT  Account 
Load  IP  Address 
Create  User  Profile 
Prepare  User  Package 
5  Days  or  Less 


Return  Receipt  via  FAX 
User  Account  Activated 
within  24  hours 


FEDEX 
1  day 


DMC  Chambersburg  fax: 
717-267-9055 
DSN:  570 
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Waiver  Process 
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User  Types 

•  xo 

-  Receive  all  IAVA  Alerts 

-  Organizational  view  of  the  data 

-  Notified  when  waiver  has  been  requested 

•  ISSM 

-  Receive  all  IAVA  Alerts 

-  Organizational  view  of  the  data 

-  Approves  waiver  prior  to  DAA  adjudication 
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User  Types 

.  System/Network  Administrators 

-  Recieves  only  those  bulletins  for  systems  they  have  registered  or 
have  been  given  update  authority  for 

-  Requests  waiver 

-  Cannot  view  system  data  that  they  have  not  been  given  explicit 
permission  to 
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Current  Reports  Available 

.  ISSM/XO 

—  Compliance  Summary  Report  by  Vulnerability  (VM02) 

—  Active  Users  by  Organization  (VM03) 

—  Registered  Systems  by  Organization  (VM04) 

—  Waiver  Summary  Spreadsheet  (VM08) 

.  SA/ISSM/XO 

—  Compliance/Acknowledgement  Report  by  System  (VSO  1) 

—  Compliance/ Acknowledgement  Report  by  Vulnerability  (VS02) 
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V  1.0  Outstanding  Capabilities 


•  Complete  Reporting 

-  VS05/06  -  Acknowledgement  Report  by  User/System 

•  By  Organization/Site 

•  By  Alert 

•  1  March  1999 

•  Interim  Waiver  Process 

-  CIO  will  grant/deny  waivers  regardless  of  accreditor 

-  CIO  will  grant/deny  waiver,  indicate  expiration  date,  and 
provide  pertinent  comments 

-  Available  25  February  1999 
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V  2.0  Enhancements 

.  Link  to  Accredited  System/Major  Program 

-  Allow  for  oversight  by  Program  Management  Office 

-  Allow  for  Waiver  Request/Granting  for  entire  Program 

-  Allow  Email  by  PMO  to  SA(s) 

-  Multiple  accreditor  based  on  system/program 

-  Allow  Accreditor  to  review  site  and  system  status 

-  Allow  Accreditor  to  review  asset/component  information 

-  Cross  Oganizational  browsing  at  program  level 
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V  2.0  Enhancements 

.  Fully  automate  waiver  process 

-  Through  ISSM/Program/Technical/Adjudication  Chain 

-  Process  for  Major  Programs  to  be  determined  by  Program 

-  Multiple  DAAs 

-  Ability  to  establish  different  waiver  processes  depending 
on  program  or  system 

.  Specifications  out  for  comment  on  1  March  1999 
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V  2.x  Requested  Enhancements 


.  Status  Information 

-  Update  status  after  completion 

-  Allow  browse  by  XO,  ISSM,  PMO,  CIO 

-  Provide  list  of  N/A  reasons 


.  Allow  ISSM  to  enter  Organizational  Comment 


.  Acknowledgement 

—  Unacknowledge  Receipt 

-  Confirm  Acknowledgement 
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V  2.x  Requested  Enhancements 

•  Subscription  to  bulletins 

.  ISSM  to  give  permission  to  a  system  within  their 
organization  to  any  registered  SA 

.  Supporting  reports  for  new  functionality 
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